Skip to main content

ZXUniPOS NDS-LTE CVE-2026-49000

| EUVDEUVD-2026-32049 HIGH
Cryptographic Issues (CWE-310)
2026-05-27 zte GHSA-grx5-r275-m4vr
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:20 vuln.today

DescriptionCVE.org

An insecure password scheme refers to vulnerabilities arising from improper selection of encryption algorithms, inadequate key management, or flawed code implementation, which may lead to data leakage or tampering, such as hard-coded keys or the use of weak encryption algorithms.

AnalysisAI

Information disclosure in ZTE ZXUniPOS NDS-LTE (V24.40.40 and earlier, and V24.30.40CP02 and earlier) stems from an insecure cryptographic password scheme - such as hard-coded keys, weak encryption algorithms, or poor key management - that lets remote, unauthenticated attackers recover or tamper with protected data. The CVSS vector (AV:N/AC:H/PR:N) indicates network reachability without credentials but with high attack complexity, and the primary impact is confidentiality loss (C:H) with minor integrity and availability effects. There is no public exploit identified at time of analysis, and EPSS is very low (0.02%, 7th percentile).

Technical ContextAI

ZXUniPOS NDS-LTE is a ZTE telecom/OSS product line (CPE cpe:2.3:a:zte:zxunipos_nds-lte). The flaw is classified under CWE-310 (Cryptographic Issues), the root-cause category covering improper algorithm selection, inadequate key management, hard-coded secrets, and flawed crypto implementation. In practice this means data that should be protected at rest or in transit is secured with an algorithm or key handling that an attacker can defeat - e.g., a static/embedded key reused across deployments or a deprecated cipher - collapsing the confidentiality guarantee the scheme was meant to provide. The supplied description is generic CWE-310 boilerplate and does not name the exact algorithm or key, so the precise cryptographic defect is not specified in the available data.

RemediationAI

Patch available per vendor advisory: consult the ZTE bulletin (https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3711746568357343394) and upgrade ZXUniPOS NDS-LTE beyond the affected V24.40.40 / V24.30.40CP02 baselines - an exact fixed version is not specified in the available data, so confirm the target build directly with ZTE. Because the defect is cryptographic, software upgrade is the only true fix; as compensating controls until patched, restrict network reachability to the affected service by placing it behind segmentation/firewall rules so the AV:N path is not exposed beyond trusted management networks (trade-off: may break legitimate remote integrations), and rotate any keys or credentials that may have been protected by the weak scheme once the fixed build is deployed (trade-off: requires coordinated re-provisioning). Avoid relying on the existing crypto for any sensitive data until upgraded.

Share

CVE-2026-49000 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy